Simple unix busting
(the microphar dongle galore)
by Dr. Fuhrball
(6 November 1997)
Dongle cracking
Courtesy of Fravia's page
of reverse engineering
Well, I have received this good essay more than a week ago, yet I bat
Dr. Fuhrball to 'deepen' it a little, since many of our readers could be VERY
interested in unix cracking, yet may not be very well acquinted with some of
the concepts that unix experts give for granted. Dr Fuhrball was so kind to
modify and revise his essay. Here it is, I'm sure many of you will find it
partiicularly interesting.
Simple unix busting
by Dr. Fuhrball
modified 6 November 1997
I have read all of the student essays, and none refer
to unix and only two refer to dongles. This essay refers
to both and indicates some techniques.
HISTORY:
The unix lineage for X86 based architecture goes back to
the original Xenix for 286 that microsoft produced back in
1983 with source code bought from AT&T for about 1 Million
dollars. About 6 months after the purchase of source code
from AT&T, AT&T started selling source code to anyone with
65 to 250 thousand dollars. Billy boy got a bit miffed and
split of the Xenix product to Santa Cruz Operation (SCO).
SCO has been producing Unix ever since. They have significantly
added to the line with networking from Lachman and Sun, and
X windows from MIT. SCO openserver 5 is a highly integrated
and slick product, but its fairly expensive too. If you are
at a University however you can get the product for virtually
nothing.
MAJOR NOTE: you need root password to do all of this.
The product in question is Aries which is a 3d graphics
package that runs on Sco openserver5. Similar to autocad
in function, its about 100 times more powerful. And about
5 times as expensive. It drives SLA's (stereo lithography
aparatus) directly. (argon ion laser writes on nasty
chemical which turns solid creating 3d shapes). It also
drives my hobby mill in the basement.
Anyway this program comes with a microphar (french) dongle
which is basically a few gates and a national semiconducor
eeprom nmc9306 (32 words). A lot of the dongles out there
use this part, because of its extremely low consumption of
power. Its serial 2 wire interface and open collector output
make it perfect for attachment to a printer port.
There are a number of ways to break this thing. Since I have
an MSEE (Master of Science, Electrical Engineering),
my first inclination is to hook up the logic analyzer
and look at whats going on. I have now seen at least 5 different
dongles that all use the national semiconductor eeprom, in various
creative ways, but its basically the same thing. The logic analyzer
trick certainly works, because you can see the entire data stream
and if you wanted to you could create a completely compatable device
which combined with a small software program would allow you to read
out all of the data, and then program it into your own device. However
the use of dongles tends to cause other problems, especially with
most new bi-directional laser printers. So the desire to remove the
device is preferable. The logic analyzer method relys on the fact
that there is really only one data output line, one clock line and
one data input line. The rest of the lines are either do not care, or
held in a high or low state to enable the device.
(The new Rainbow technologies software sentinel pro is just a fancied
version of same, with the addition of their 8 shift register with
adjustable feedback of old), 100% proprietary of course.
Of Course I also have a MSCS (Master of Science, Computer Science),
and that lends me to the software crack. Which is elegant because it
does not touch the origional aries code. And thats good, because the
main executable is over 10mb. And with their update of the month club,
you could be cracking this thing for the rest of your life. In addition
there are 6 different executables that would need cracking.
This crack once installed, lasts forever.
Back to the story;
When you install this program it adds a device driver that
talks to the dongle.
In all unix's, virtually everything is done with device drivers.
hard disk, serial ports, ethernet ports, the video display...
You can even access memory through a device driver.
Virtually all X86 based unix's today based on AT&T 5.4 code do
the following in exactly the same manner.
(SCO,Interactive, UHC, Consensys, Novell Unix....)
(BSDI and Solaris are different however but these tricks still hold)
running strings on Driver.o module in the /etc/conf/pack.d/mp shows
among others the following symbols.
(all unix drivers are stored in /etc/conf/pack.d/drivername and consist
of an object module and possibly a C tunables file called space.c)
(also on new unix's, these directorys are actually symbolicly linked
to somewhere else)
mpopen, mpclose, mpread, mpwrite...
So now we have the names to look at in kernel space.
Fire up adb on /unix and disassemble starting at mpopen and you get
(one of the nice things about unix is that you can always get to
kernel space, but be careful patching a live kernel)
dumpfile = /dev/mem, namelist = /unix, outfile = stdout
>
mpopen pushl %ebp
mpopen+1 movl %esp,%ebp
mpopen+3 subl $0x0,%esp
mpopen+9 pushl %ebx
mpopen+a pushl %edi
mpopen+b pushl %esi
mpopen+c testb $0x1,0xd00ee570 [-,valeur_port +1c]
mpopen+13 je 0x0c